jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
name: Jamf Protect - Alerts
relevantTechniques:
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- jamfprotectalerts_CL
connectorId: JamfProtect
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.6
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
entityType: Host
- fieldMappings:
- identifier: Address
columnName: Host_IPs
entityType: IP
- fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
entityType: Process
- fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
entityType: FileHash
kind: NRT
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
suppressionDuration: PT5H
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
- value: Techniques
alertProperty: Techniques
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertTacticsColumnName: Tactics
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
status: Available
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
tactics:
customDetails:
Protect_Analytic: EventMessage
JamfPro_Status: JamfPro
Related_File_hash: TargetBinarySHA256
TargetbinarySign: TargetbinarySignerType
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Event_Type: EventType
TargetBinarySigner: TargetBinarySigningTeamID
Protect_Tags: Tags
Related_Binaries: TargetBinaryFilePath
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
